Overview
overview
4Static
static
3BetterDisc...ws.exe
windows11-21h2-x64
4$PLUGINSDI...ge.dll
windows11-21h2-x64
3$PLUGINSDI...ls.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3BetterDiscord.exe
windows11-21h2-x64
3LICENSES.c...m.html
windows11-21h2-x64
3d3dcompiler_47.dll
windows11-21h2-x64
3ffmpeg.dll
windows11-21h2-x64
3libEGL.dll
windows11-21h2-x64
3libGLESv2.dll
windows11-21h2-x64
3resources/app.js
windows11-21h2-x64
3swiftshade...GL.dll
windows11-21h2-x64
3swiftshade...v2.dll
windows11-21h2-x64
3vk_swiftshader.dll
windows11-21h2-x64
3vulkan-1.dll
windows11-21h2-x64
3Analysis
-
max time kernel
145s -
max time network
143s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
27-08-2024 00:55
Static task
static1
Behavioral task
behavioral1
Sample
BetterDiscord-Windows.exe
Resource
win11-20240802-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/BgImage.dll
Resource
win11-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win11-20240802-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win11-20240802-en
Behavioral task
behavioral5
Sample
BetterDiscord.exe
Resource
win11-20240802-en
Behavioral task
behavioral6
Sample
LICENSES.chromium.html
Resource
win11-20240802-en
Behavioral task
behavioral7
Sample
d3dcompiler_47.dll
Resource
win11-20240802-en
Behavioral task
behavioral8
Sample
ffmpeg.dll
Resource
win11-20240802-en
Behavioral task
behavioral9
Sample
libEGL.dll
Resource
win11-20240802-en
Behavioral task
behavioral10
Sample
libGLESv2.dll
Resource
win11-20240802-en
Behavioral task
behavioral11
Sample
resources/app.js
Resource
win11-20240802-en
Behavioral task
behavioral12
Sample
swiftshader/libEGL.dll
Resource
win11-20240802-en
Behavioral task
behavioral13
Sample
swiftshader/libGLESv2.dll
Resource
win11-20240802-en
Behavioral task
behavioral14
Sample
vk_swiftshader.dll
Resource
win11-20240802-en
Behavioral task
behavioral15
Sample
vulkan-1.dll
Resource
win11-20240802-en
General
-
Target
LICENSES.chromium.html
-
Size
5.1MB
-
MD5
6b84319ee8a0a0af690273d3d2dcbaf4
-
SHA1
857ca353e0582d100dcbc6cb6761bb4430d0cb90
-
SHA256
fc2a256467fb4d4ff72be6c423e5961e98b418554deeec296aded0e757b9a585
-
SHA512
26f9842bfdb429ef132cc1a930da9187071a339927eda402e8d54b5eb9e03067612cdadc3a2dad3d0977f8e6af18c05eab6ac91720221c6a0104f96638f85a8a
-
SSDEEP
24576:yd97B+mnLiLsrDy2VrErjKCqzkU98wwg3QeXuh:0P+mLAqHBCuRoeS
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 1128 msedge.exe 1128 msedge.exe 3668 msedge.exe 3668 msedge.exe 1736 msedge.exe 1736 msedge.exe 2300 identity_helper.exe 2300 identity_helper.exe 3544 msedge.exe 3544 msedge.exe 3544 msedge.exe 3544 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3668 wrote to memory of 992 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 992 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 5112 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1128 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1128 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4564 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4564 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4564 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4564 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4564 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4564 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4564 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4564 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4564 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4564 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4564 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4564 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4564 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4564 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4564 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4564 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4564 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4564 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4564 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4564 3668 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xbc,0x10c,0x7ffc3ba93cb8,0x7ffc3ba93cc8,0x7ffc3ba93cd82⤵PID:992
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1796,12597322063753947391,4934331743199994143,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:22⤵PID:5112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1796,12597322063753947391,4934331743199994143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1128 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1796,12597322063753947391,4934331743199994143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:82⤵PID:4564
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,12597322063753947391,4934331743199994143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:12⤵PID:3992
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,12597322063753947391,4934331743199994143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:12⤵PID:1708
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1796,12597322063753947391,4934331743199994143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1736 -
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1796,12597322063753947391,4934331743199994143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2300 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,12597322063753947391,4934331743199994143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:12⤵PID:3412
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,12597322063753947391,4934331743199994143,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:12⤵PID:2340
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,12597322063753947391,4934331743199994143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:1692
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,12597322063753947391,4934331743199994143,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:12⤵PID:228
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1796,12597322063753947391,4934331743199994143,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5516 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3544
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3160
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5302c3de891ef3a75b81a269db4e1cf22
SHA15401eb5166da78256771e8e0281ca2d1f471c76f
SHA2561d1640e5755779c90676290853d2e3ca948f57cf5fb1df4b786e277a97757f58
SHA512da18e7d40376fd13255f3f67a004c3a7f408466bd7ce92e36a4d0c20441279fe4b1b6e0874ab74c494663fb97bd7992b5e7c264b3fc434c1e981326595263d33
-
Filesize
152B
MD5c9efc5ba989271670c86d3d3dd581b39
SHA13ad714bcf6bac85e368b8ba379540698d038084f
SHA256c2e16990b0f6f23efdcecd99044993a4c2b8ba87bd542dd8f6256d69e24b93b3
SHA512c1bc0dc70ab827b54feb64ad069d21e1c3c28d57d126b08314a9670437881d77dba02b5cca57ef0f2aa7f8e7d4d163fbd2c6f246ea2d51ce201d61a89015e8b7
-
Filesize
5KB
MD5dfbc7cd59126e89ffed7b7a9d7ab1c5b
SHA14309a3e8f3002ce4b1fd5fdabc05339b216b27f0
SHA2565a00872bc1de1689f4030bd8de2584a6d2126b44479ecb5fcef79e870bfe372a
SHA512cd3805abaa10b7eb55131668d0605fabe95dfc77e9e5afaa4127a340ac1e31ff5e3c643b1b1d2d04061e9cd8e5497d1075e06953830ed2355dfd9a847fbbcab4
-
Filesize
5KB
MD55cfef5554362c1101a16b131cdc415be
SHA1273d915259437db7b97c5eec62fc01f2ee091288
SHA25601d7de9a63dcef349e105b46929e740d1db1a115e1244412160b2aa05822297a
SHA5127d9c71560513c43213df6ac940043ccea91191a7ef80636efa80b628f9aa2d72dbae35fdc7294c83cd89c00c505a7d199037c13a44d1723db6ffbb041a6f6201
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5d5a83c763e8ba7618fdc8717c0259778
SHA10251dcf002de4eeef0747afefa0deaa524cf4ab3
SHA256bebc4a72ccc7006be3002ad3fbb031a55d319d3e920e6c8450a1e124908c1595
SHA51216c69442760c77258b20877d705855e9bb9f554a8ca385f6e0e9daddd22cbfde3ec08b5519feb4e783b839caf14301062bbfe2466168f2bd7a61c0dd560c7209
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e